table of contents
FIREWALL-CMD(1) | firewall-cmd | FIREWALL-CMD(1) |
NAME¶
firewall-cmd - firewalld command line clientSYNOPSIS¶
firewall-cmd [OPTIONS...]
DESCRIPTION¶
firewall-cmd is the command line client of the firewalld daemon. It provides interface to manage runtime and permanent configuration.The runtime configuration in firewalld is separated from the permanent configuration. This means that things can get changed in the runtime or permanent configuration.
OPTIONS¶
For sequence options, this are the options that can be specified multiple times, the exit code is 0 if there is at least one item that succeded. The ALREADY_ENABLED (11), NOT_ENABLED (12) and also ZONE_ALREADY_SET (16) errors are treated as succeeded. If there are issues while parsing the items, then these are treated as warnings and will not change the result as long as there is a succeeded one. Without any succeeded item, the exit code will depend on the error codes. If there is exactly one error code, then this is used. If there are more than one then UNKNOWN_ERROR (254) will be used.The following options are supported:
General Options¶
-h, --help-V, --version
-q, --quiet
Status Options¶
--state--reload
--complete-reload
--runtime-to-permanent
Log Denied Options¶
--get-log-denied--set-log-denied=value
This is a runtime and permanent change and will also reload the firewall to be able to add the logging rules.
Automatic Helpers Options¶
--get-automatic-helpers--set-automatic-helpers=value
This is a runtime and permanent change and will also reload the firewall to be able to make the helpers usable.
Permanent Options¶
--permanentIf you want to make a change in runtime and permanent configuration, use the same call with and without the --permanent option.
The --permanent option can be optionally added to all options further down where it is supported.
Zone Options¶
--get-default-zone--set-default-zone=zone
This is a runtime and permanent change.
--get-active-zones
zone1 interfaces: interface1 interface2 .. sources: source1 .. zone2 interfaces: interface3 .. zone3 sources: source2 ..
If there are no interfaces or sources bound to the zone, the corresponding line will be omitted.
[--permanent] --get-zones
[--permanent] --get-services
[--permanent] --get-icmptypes
[--permanent] --get-zone-of-interface=interface
[--permanent] --get-zone-of-source=source[/mask]|MAC|ipset:ipset
[--permanent] --info-zone=zone
zone interfaces: interface1 .. sources: source1 .. services: service1 .. ports: port1 .. protocols: protocol1 .. forward-ports: forward-port1 .. source-ports: source-port1 .. icmp-blocks: icmp-type1 .. rich rules: rich-rule1 ..
[--permanent] --list-all-zones
zone1 interfaces: interface1 .. sources: source1 .. services: service1 .. ports: port1 .. protocols: protocol1 .. forward-ports: forward-port1 .. icmp-blocks: icmp-type1 .. rich rules: rich-rule1 .. ..
--permanent --new-zone=zone
--permanent --new-zone-from-file=filename [--name=zone]
--permanent --delete-zone=zone
--permanent --load-zone-defaults=zone
--permanent --path-zone=zone
--permanent --zone=zone --set-description=description
--permanent --zone=zone --get-description
--permanent --zone=zone --set-short=description
--permanent --zone=zone --get-short
--permanent [--zone=zone] --get-target
--permanent [--zone=zone] --set-target=target
Options to Adapt and Query Zones¶
Options in this section affect only one particular zone. If used with --zone=zone option, they affect the zone zone. If the option is omitted, they affect default zone (see --get-default-zone).[--permanent] [--zone=zone] --list-all
[--permanent] [--zone=zone] --list-services
[--permanent] [--zone=zone] --add-service=service [--timeout=timeval]
The service is one of the firewalld provided services. To get a list of the supported services, use firewall-cmd --get-services.
The --timeout option is not combinable with the --permanent option.
[--permanent] [--zone=zone] --remove-service=service
[--permanent] [--zone=zone] --query-service=service
[--permanent] [--zone=zone] --list-ports
[--permanent] [--zone=zone] --add-port=portid[-portid]/protocol [--timeout=timeval]
The port can either be a single port number or a port range portid-portid. The protocol can either be tcp or udp.
The --timeout option is not combinable with the --permanent option.
[--permanent] [--zone=zone] --remove-port=portid[-portid]/protocol
[--permanent] [--zone=zone] --query-port=portid[-portid]/protocol
[--permanent] [--zone=zone] --list-protocols
[--permanent] [--zone=zone] --add-protocol=protocol [--timeout=timeval]
The protocol can be any protocol supported by the system. Please have a look at /etc/protocols for supported protocols.
The --timeout option is not combinable with the --permanent option.
[--permanent] [--zone=zone] --remove-protcol=protocol
[--permanent] [--zone=zone] --query-protocol=protocol
[--permanent] [--zone=zone] --list-source-ports
[--permanent] [--zone=zone] --add-source-port=portid[-portid]/protocol [--timeout=timeval]
The port can either be a single port number or a port range portid-portid. The protocol can either be tcp or udp.
The --timeout option is not combinable with the --permanent option.
[--permanent] [--zone=zone] --remove-source-port=portid[-portid]/protocol
[--permanent] [--zone=zone] --query-source-port=portid[-portid]/protocol
[--permanent] [--zone=zone] --list-icmp-blocks
[--permanent] [--zone=zone] --add-icmp-block=icmptype [--timeout=timeval]
The icmptype is the one of the icmp types firewalld supports. To get a listing of supported icmp types: firewall-cmd --get-icmptypes
The --timeout option is not combinable with the --permanent option.
[--permanent] [--zone=zone] --remove-icmp-block=icmptype
[--permanent] [--zone=zone] --query-icmp-block=icmptype
[--permanent] [--zone=zone] --list-forward-ports
For IPv6 forward ports, please use the rich language.
[--permanent] [--zone=zone] --add-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]] [--timeout=timeval]
The port can either be a single port number portid or a port range portid-portid. The protocol can either be tcp or udp. The destination address is a simple IP address.
The --timeout option is not combinable with the --permanent option.
For IPv6 forward ports, please use the rich language.
[--permanent] [--zone=zone] --remove-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
For IPv6 forward ports, please use the rich language.
[--permanent] [--zone=zone] --query-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
For IPv6 forward ports, please use the rich language.
[--permanent] [--zone=zone] --add-masquerade [--timeout=timeval]
The --timeout option is not combinable with the --permanent option.
For IPv6 masquerading, please use the rich language.
[--permanent] [--zone=zone] --remove-masquerade
For IPv6 masquerading, please use the rich language.
[--permanent] [--zone=zone] --query-masquerade
For IPv6 masquerading, please use the rich language.
[--permanent] [--zone=zone] --list-rich-rules
[--permanent] [--zone=zone] --add-rich-rule='rule' [--timeout=timeval]
For the rich language rule syntax, please have a look at firewalld.richlanguage(5).
The --timeout option is not combinable with the --permanent option.
[--permanent] [--zone=zone] --remove-rich-rule='rule'
For the rich language rule syntax, please have a look at firewalld.richlanguage(5).
[--permanent] [--zone=zone] --query-rich-rule='rule'
For the rich language rule syntax, please have a look at firewalld.richlanguage(5).
Options to Handle Bindings of Interfaces¶
Binding an interface to a zone means that this zone settings are used to restrict traffic via the interface.Options in this section affect only one particular zone. If used with --zone=zone option, they affect the zone zone. If the option is omitted, they affect default zone (see --get-default-zone).
For a list of predefined zones use firewall-cmd --get-zones.
An interface name is a string up to 16 characters long, that may not contain ' ', '/', '!' and '*'.
[--permanent] [--zone=zone] --list-interfaces
[--permanent] [--zone=zone] --add-interface=interface
If the interface is under control of NetworkManager, it is at first connected to change the zone for the connection that is using the interface. If this fails, the zone binding is created in firewalld and the limitations below apply. For interfaces that are not under control of NetworkManager, firewalld tries to change the ZONE setting in the ifcfg file, if the file exists.
As a end user you don't need this in most cases, because NetworkManager (or legacy network service) adds interfaces into zones automatically (according to ZONE= option from ifcfg-interface file) if NM_CONTROLLED=no is not set. You should do it only if there's no /etc/sysconfig/network-scripts/ifcfg-interface file. If there is such file and you add interface to zone with this --add-interface option, make sure the zone is the same in both cases, otherwise the behaviour would be undefined. Please also have a look at the firewalld(1) man page in the Concepts section. For permanent association of interface with a zone, see also 'How to set or change a zone for a connection?' in firewalld.zones(5).
[--zone=zone] --change-interface=interface
Change zone the interface interface is bound to to zone zone. It's basically --remove-interface followed by --add-interface. If the interface has not been bound to a zone before, it behaves like --add-interface. If zone is omitted, default zone will be used.
[--permanent] [--zone=zone] --query-interface=interface
[--permanent] --remove-interface=interface
For the addion or change of interfaces that are not under control of NetworkManager: firewalld tries to change the ZONE setting in the ifcfg file, if an ifcfg file exists that is using the interface.
Only for the removal of interfaces that are not under control of NetworkManager: firewalld is not trying to change the ZONE setting in the ifcfg file. This is needed to make sure that an ifdown of the interface will not result in a reset of the zone setting to the default zone. Only the zone binding is then removed in firewalld then.
Remove binding of interface interface from zone it was previously added to.
Options to Handle Bindings of Sources¶
Binding a source to a zone means that this zone settings will be used to restrict traffic from this source.A source address or address range is either an IP address or a network IP address with a mask for IPv4 or IPv6 or a MAC address or an ipset with the ipset: prefix. For IPv4, the mask can be a network mask or a plain number. For IPv6 the mask is a plain number. The use of host names is not supported.
Options in this section affect only one particular zone. If used with --zone=zone option, they affect the zone zone. If the option is omitted, they affect default zone (see --get-default-zone).
For a list of predefined zones use firewall-cmd [--permanent] --get-zones.
[--permanent] [--zone=zone] --list-sources
[--permanent] [--zone=zone] --add-source=source[/mask]|MAC|ipset:ipset
[--zone=zone] --change-source=source[/mask]|MAC|ipset:ipset
[--permanent] [--zone=zone] --query-source=source[/mask]|MAC|ipset:ipset
[--permanent] --remove-source=source[/mask]|MAC|ipset:ipset
IPSet Options¶
--permanent --new-ipset=ipset --type=ipset type [--option=ipset option[=value]]--permanent --new-ipset-from-file=filename [--name=ipset]
--permanent --delete-ipset=ipset
--permanent --load-ipset-defaults=ipset
[--permanent] --info-ipset=ipset
ipset type: type options: option1[=value1] .. entries: entry1 ..
[--permanent] --get-ipsets
--permanent --ipset=ipset --set-description=description
--permanent --ipset=ipset --get-description
--permanent --ipset=ipset --set-short=description
--permanent --ipset=ipset --get-short
[--permanent] --ipset=ipset --add-entry=entry
[--permanent] --ipset=ipset --remove-entry=entry
[--permanent] --ipset=ipset --query-entry=entry
[--permanent] --ipset=ipset --get-entries
[--permanent] --ipset=ipset --add-entries-from-file=filename
The file should contain an entry per line. Lines starting with an hash or semicolon are ignored. Also empty lines.
[--permanent] --ipset=ipset --remove-entries-from-file=filename
The file should contain an entry per line. Lines starting with an hash or semicolon are ignored. Also empty lines.
--permanent --path-ipset=ipset
Service Options¶
Options in this section affect only one particular service.[--permanent] --info-service=service
service ports: port1 .. protocols: protocol1 .. source-ports: source-port1 .. modules: module1 .. destination: ipv1:address1 ..
The following options are only usable in the permanent configuration.
--permanent --new-service=service
--permanent --new-service-from-file=filename [--name=service]
--permanent --delete-service=service
--permanent --load-service-defaults=service
--permanent --path-service=service
--permanent --service=service --set-description=description
--permanent --service=service --get-description
--permanent --service=service --set-short=description
--permanent --service=service --get-short
--permanent --service=service --add-port=portid[-portid]/protocol
--permanent --service=service --remove-port=portid[-portid]/protocol
--permanent --service=service --query-port=portid[-portid]/protocol
--permanent --service=service --get-ports
--permanent --service=service --add-protocol=protocol
--permanent --service=service --remove-protocol=protocol
--permanent --service=service --query-protocol=protocol
--permanent --service=service --get-protocols
--permanent --service=service --add-source-port=portid[-portid]/protocol
--permanent --service=service --remove-source-port=portid[-portid]/protocol
--permanent --service=service --query-source-port=portid[-portid]/protocol
--permanent --service=service --get-source-ports
--permanent --service=service --add-module=module
--permanent --service=service --remove-module=module
--permanent --service=service --query-module=module
--permanent --service=service --get-modules
--permanent --service=service --set-destination=ipv:address[/mask]
--permanent --service=service --remove-destination=ipv
--permanent --service=service --query-destination=ipv:address[/mask]
--permanent --service=service --get-destinations
Helper Options¶
Options in this section affect only one particular helper.[--permanent] --info-helper=helper
helper family: family module: module ports: port1 ..
The following options are only usable in the permanent configuration.
--permanent --new-helper=helper --module=nf_conntrack_module [--family=ipv4|ipv6]
--permanent --new-helper-from-file=filename [--name=helper]
--permanent --delete-helper=helper
--permanent --load-helper-defaults=helper
--permanent --path-helper=helper
[--permanent] --get-helpers
--permanent --helper=helper --set-description=description
--permanent --helper=helper --get-description
--permanent --helper=helper --set-short=description
--permanent --helper=helper --get-short
--permanent --helper=helper --add-port=portid[-portid]/protocol
--permanent --helper=helper --remove-port=portid[-portid]/protocol
--permanent --helper=helper --query-port=portid[-portid]/protocol
--permanent --helper=helper --get-ports
--permanent --helper=helper --set-module=description
--permanent --helper=helper --get-module
--permanent --helper=helper --set-family=description
--permanent --helper=helper --get-family
Internet Control Message Protocol (ICMP) type Options¶
Options in this section affect only one particular icmptype.[--permanent] --info-icmptype=icmptype
icmptype destination: ipv1 ..
The following options are only usable in the permanent configuration.
--permanent --new-icmptype=icmptype
--permanent --new-icmptype-from-file=filename [--name=icmptype]
--permanent --delete-icmptype=icmptype
--permanent --load-icmptype-defaults=icmptype
--permanent --icmptype=icmptype --set-description=description
--permanent --icmptype=icmptype --get-description
--permanent --icmptype=icmptype --set-short=description
--permanent --icmptype=icmptype --get-short
--permanent --icmptype=icmptype --add-destination=ipv
--permanent --icmptype=icmptype --remove-destination=ipv
--permanent --icmptype=icmptype --query-destination=ipv
--permanent --icmptype=icmptype --get-destinations
--permanent --path-icmptype=icmptype
Direct Options¶
The direct options give a more direct access to the firewall. These options require user to know basic iptables concepts, i.e. table (filter/mangle/nat/...), chain (INPUT/OUTPUT/FORWARD/...), commands (-A/-D/-I/...), parameters (-p/-s/-d/-j/...) and targets (ACCEPT/DROP/REJECT/...).Direct options should be used only as a last resort when it's not possible to use for example --add-service=service or --add-rich-rule='rule'.
The first argument of each option has to be ipv4 or ipv6 or eb. With ipv4 it will be for IPv4 (iptables(8)), with ipv6 for IPv6 (ip6tables(8)) and with eb for ethernet bridges (ebtables(8)).
[--permanent] --direct --get-all-chains
[--permanent] --direct --get-chains { ipv4 | ipv6 | eb } table
[--permanent] --direct --add-chain { ipv4 | ipv6 | eb } table chain
There already exist basic chains to use with direct options, for example INPUT_direct chain (see iptables-save | grep direct output for all of them). These chains are jumped into before chains for zones, i.e. every rule put into INPUT_direct will be checked before rules in zones.
[--permanent] --direct --remove-chain { ipv4 | ipv6 | eb } table chain
[--permanent] --direct --query-chain { ipv4 | ipv6 | eb } table chain
[--permanent] --direct --get-all-rules
[--permanent] --direct --get-rules { ipv4 | ipv6 | eb } table chain
[--permanent] --direct --add-rule { ipv4 | ipv6 | eb } table chain priority args
The priority is used to order rules. Priority 0 means add rule on top of the chain, with a higher priority the rule will be added further down. Rules with the same priority are on the same level and the order of these rules is not fixed and may change. If you want to make sure that a rule will be added after another one, use a low priority for the first and a higher for the following.
[--permanent] --direct --remove-rule { ipv4 | ipv6 | eb } table chain priority args
[--permanent] --direct --remove-rules { ipv4 | ipv6 | eb } table chain
[--permanent] --direct --query-rule { ipv4 | ipv6 | eb } table chain priority args
--direct --passthrough { ipv4 | ipv6 | eb } args
[--permanent] --direct --get-all-passthroughs
[--permanent] --direct --get-passthroughs { ipv4 | ipv6 | eb }
[--permanent] --direct --add-passthrough { ipv4 | ipv6 | eb } args
[--permanent] --direct --remove-passthrough { ipv4 | ipv6 | eb } args
[--permanent] --direct --query-passthrough { ipv4 | ipv6 | eb } args
Lockdown Options¶
Local applications or services are able to change the firewall configuration if they are running as root (example: libvirt) or are authenticated using PolicyKit. With this feature administrators can lock the firewall configuration so that only applications on lockdown whitelist are able to request firewall changes.The lockdown access check limits D-Bus methods that are changing firewall rules. Query, list and get methods are not limited.
The lockdown feature is a very light version of user and application policies for firewalld and is turned off by default.
--lockdown-on
This is a runtime and permanent change.
--lockdown-off
This is a runtime and permanent change.
--query-lockdown
Lockdown Whitelist Options¶
The lockdown whitelist can contain commands, contexts, users and user ids.If a command entry on the whitelist ends with an asterisk '*', then all command lines starting with the command will match. If the '*' is not there the absolute command inclusive arguments must match.
Commands for user root and others is not always the same. Example: As root /bin/firewall-cmd is used, as a normal user /usr/bin/firewall-cmd is be used on Fedora.
The context is the security (SELinux) context of a running application or service. To get the context of a running application use ps -e --context.
Warning: If the context is unconfined, then this will open access for more than the desired application.
The lockdown whitelist entries are checked in the following order:
[--permanent] --list-lockdown-whitelist-commands
[--permanent] --add-lockdown-whitelist-command=command
[--permanent] --remove-lockdown-whitelist-command=command
[--permanent] --query-lockdown-whitelist-command=command
[--permanent] --list-lockdown-whitelist-contexts
[--permanent] --add-lockdown-whitelist-context=context
[--permanent] --remove-lockdown-whitelist-context=context
[--permanent] --query-lockdown-whitelist-context=context
[--permanent] --list-lockdown-whitelist-uids
[--permanent] --add-lockdown-whitelist-uid=uid
[--permanent] --remove-lockdown-whitelist-uid=uid
[--permanent] --query-lockdown-whitelist-uid=uid
[--permanent] --list-lockdown-whitelist-users
[--permanent] --add-lockdown-whitelist-user=user
[--permanent] --remove-lockdown-whitelist-user=user
[--permanent] --query-lockdown-whitelist-user=user
Panic Options¶
--panic-onThis is a runtime only change.
--panic-off
This is a runtime only change.
--query-panic
EXAMPLES¶
For more examples see http://fedoraproject.org/wiki/FirewallDExample 1¶
Enable http service in default zone. This is runtime only change, i.e. effective until restart.firewall-cmd --add-service=http
Example 2¶
Enable port 443/tcp immediately and permanently in default zone. To make the change effective immediately and also after restart we need two commands. The first command makes the change in runtime configuration, i.e. makes it effective immediately, until restart. The second command makes the change in permanent configuration, i.e. makes it effective after restart.firewall-cmd --add-port=443/tcp firewall-cmd --permanent --add-port=443/tcp
EXIT CODES¶
On success 0 is returned. On failure the output is red colored and exit code is either 2 in case of wrong command-line option usage or one of the following error codes in other cases:String | Code |
ALREADY_ENABLED | 11 |
NOT_ENABLED | 12 |
COMMAND_FAILED | 13 |
NO_IPV6_NAT | 14 |
PANIC_MODE | 15 |
ZONE_ALREADY_SET | 16 |
UNKNOWN_INTERFACE | 17 |
ZONE_CONFLICT | 18 |
BUILTIN_CHAIN | 19 |
EBTABLES_NO_REJECT | 20 |
NOT_OVERLOADABLE | 21 |
NO_DEFAULTS | 22 |
BUILTIN_ZONE | 23 |
BUILTIN_SERVICE | 24 |
BUILTIN_ICMPTYPE | 25 |
NAME_CONFLICT | 26 |
NAME_MISMATCH | 27 |
PARSE_ERROR | 28 |
ACCESS_DENIED | 29 |
UNKNOWN_SOURCE | 30 |
RT_TO_PERM_FAILED | 31 |
IPSET_WITH_TIMEOUT | 32 |
BUILTIN_IPSET | 33 |
ALREADY_SET | 34 |
MISSING_IMPORT | 35 |
DBUS_ERROR | 36 |
BUILTIN_HELPER | 37 |
INVALID_ACTION | 100 |
INVALID_SERVICE | 101 |
INVALID_PORT | 102 |
INVALID_PROTOCOL | 103 |
INVALID_INTERFACE | 104 |
INVALID_ADDR | 105 |
INVALID_FORWARD | 106 |
INVALID_ICMPTYPE | 107 |
INVALID_TABLE | 108 |
INVALID_CHAIN | 109 |
INVALID_TARGET | 110 |
INVALID_IPV | 111 |
INVALID_ZONE | 112 |
INVALID_PROPERTY | 113 |
INVALID_VALUE | 114 |
INVALID_OBJECT | 115 |
INVALID_NAME | 116 |
INVALID_FILENAME | 117 |
INVALID_DIRECTORY | 118 |
INVALID_TYPE | 119 |
INVALID_SETTING | 120 |
INVALID_DESTINATION | 121 |
INVALID_RULE | 122 |
INVALID_LIMIT | 123 |
INVALID_FAMILY | 124 |
INVALID_LOG_LEVEL | 125 |
INVALID_AUDIT_TYPE | 126 |
INVALID_MARK | 127 |
INVALID_CONTEXT | 128 |
INVALID_COMMAND | 129 |
INVALID_USER | 130 |
INVALID_UID | 131 |
INVALID_MODULE | 132 |
INVALID_PASSTHROUGH | 133 |
INVALID_MAC | 134 |
INVALID_IPSET | 135 |
INVALID_ENTRY | 136 |
INVALID_OPTION | 137 |
INVALID_HELPER | 138 |
MISSING_TABLE | 200 |
MISSING_CHAIN | 201 |
MISSING_PORT | 202 |
MISSING_PROTOCOL | 203 |
MISSING_ADDR | 204 |
MISSING_NAME | 205 |
MISSING_SETTING | 206 |
MISSING_FAMILY | 207 |
NOT_RUNNING | 252 |
NOT_AUTHORIZED | 253 |
UNKNOWN_ERROR | 254 |
SEE ALSO¶
firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1), firewallctl(1), firewalld.conf(5), firewalld.direct(5), firewalld.dbus(5), firewalld.icmptype(5), firewalld.lockdown-whitelist(5), firewall-offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5), firewalld.zone(5), firewalld.zones(5), firewalld.ipset(5), firewalld.helper(5)NOTES¶
firewalld home page:More documentation with examples:
AUTHORS¶
Thomas Woerner <twoerner@redhat.com>Jiri Popelka <jpopelka@redhat.com>
firewalld 0.4.4.2 |